lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: security flaw on auth tokens, error handling

Browse source
This commit is contained in:
Sérgio Salgado 2021-04-06 19:12:36 +01:00 committed by Josh Harvey
parent 40974dd501
commit c00249586d
12 changed files with 185 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

133
lib/users.js
View file

@ -37,16 +37,21 @@ function getByIds (ids) {
return db.any(sql, [idList])
}
function getUserById (id) {
const sql = `SELECT * FROM users WHERE id=$1`
return db.oneOrNone(sql, [id])
}
function getUserByUsername (username) {
const sql = `SELECT * FROM users WHERE username=$1`
return db.oneOrNone(sql, [username])
}
function getUsers () {
const sql = `SELECT id, username, role, enabled, last_accessed, last_accessed_from, last_accessed_address FROM users ORDER BY username`
return db.any(sql)
}
function getByName (username) {
const sql = `SELECT id, username, role, last_accessed FROM users WHERE username=$1 limit 1`
return db.oneOrNone(sql, [username])
}
function verifyAndUpdateUser (id, ua, ip) {
const sql = `SELECT id, username, role, enabled FROM users WHERE id=$1 limit 1`
return db.oneOrNone(sql, [id]).then(user => {
@ -59,83 +64,66 @@ function verifyAndUpdateUser (id, ua, ip) {
})
}
function createUser (username, password, role) {
const sql = `INSERT INTO users (id, username, password, role) VALUES ($1, $2, $3, $4)`
return bcrypt.hash(password, 12).then(function (hash) {
return db.none(sql, [uuid.v4(), username, hash, role])
})
}
// TO DELETE
function deleteUser (id) {
const sql = `DELETE FROM users WHERE id=$1`
const sql2 = `DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`
return db.none(sql, [id]).then(() => db.none(sql2, [id]))
}
function findById (id) {
const sql = 'SELECT id, username FROM users WHERE id=$1'
return db.oneOrNone(sql, [id])
}
function get2FASecret (id) {
const sql = 'SELECT id, username, twofa_code, role FROM users WHERE id=$1'
return db.oneOrNone(sql, [id])
}
function save2FASecret (id, secret) {
return db.tx(t => {
const q1 = t.none('UPDATE users SET twofa_code=$1 WHERE id=$2', [secret, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
return t.batch([q1, q2])
// const sql = 'UPDATE users SET twofa_code=$1 WHERE id=$2'
// const sql2 = `DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`
// return db.none(sql, [secret, id]).then(() => db.none(sql2, [id]))
})
}
function validate2FAResetToken (token) {
const sql = `DELETE FROM reset_twofa
WHERE token=$1
RETURNING user_id, now() < expire AS success`
const sql = `SELECT user_id, now() < expire AS success FROM auth_tokens
WHERE token=$1 AND type='reset_twofa'`
return db.one(sql, [token])
.then(res => ({ userID: res.user_id, success: res.success }))
}
function reset2FASecret (token, id, secret) {
return validate2FAResetToken(token).then(res => {
if (!res.success) throw new Error('Failed to verify 2FA reset token')
return db.tx(t => {
const q1 = t.none('UPDATE users SET twofa_code=$1 WHERE id=$2', [secret, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
const q3 = t.none(`DELETE FROM auth_tokens WHERE token=$1 and type='reset_password'`, [token])
return t.batch([q1, q2, q3])
})
})
}
function createReset2FAToken (userID) {
const token = crypto.randomBytes(32).toString('hex')
const sql = `INSERT INTO reset_twofa (token, user_id) VALUES ($1, $2) ON CONFLICT (user_id) DO UPDATE SET token=$1, expire=now() + interval '30 minutes' RETURNING *`
const sql = `INSERT INTO auth_tokens (token, type, user_id) VALUES ($1, 'reset_twofa', $2) ON CONFLICT (user_id) DO UPDATE SET token=$1, expire=now() + interval '30 minutes' RETURNING *`
return db.one(sql, [token, userID])
}
function updatePassword (id, password) {
bcrypt.hash(password, 12).then(function (hash) {
return db.tx(t => {
const q1 = t.none(`UPDATE users SET password=$1 WHERE id=$2`, [hash, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
return t.batch([q1, q2])
})
// const sql = `UPDATE users SET password=$1 WHERE id=$2`
// const sql2 = `DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`
// return db.none(sql, [hash, id]).then(() => db.none(sql2, [id]))
})
}
function validatePasswordResetToken (token) {
const sql = `DELETE FROM reset_password
WHERE token=$1
RETURNING user_id, now() < expire AS success`
const sql = `SELECT user_id, now() < expire AS success FROM auth_tokens
WHERE token=$1 AND type='reset_password'`
return db.one(sql, [token])
.then(res => ({ userID: res.user_id, success: res.success }))
}
function updatePassword (token, id, password) {
return validatePasswordResetToken(token).then(res => {
if (!res.success) throw new Error('Failed to verify password reset token')
return bcrypt.hash(password, 12).then(function (hash) {
return db.tx(t => {
const q1 = t.none(`UPDATE users SET password=$1 WHERE id=$2`, [hash, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
const q3 = t.none(`DELETE FROM auth_tokens WHERE token=$1 and type='reset_password'`, [token])
return t.batch([q1, q2, q3])
})
})
})
}
function createResetPasswordToken (userID) {
const token = crypto.randomBytes(32).toString('hex')
const sql = `INSERT INTO reset_password (token, user_id) VALUES ($1, $2) ON CONFLICT (user_id) DO UPDATE SET token=$1, expire=now() + interval '30 minutes' RETURNING *`
const sql = `INSERT INTO auth_tokens (token, type, user_id) VALUES ($1, 'reset_password', $2) ON CONFLICT (user_id) DO UPDATE SET token=$1, expire=now() + interval '30 minutes' RETURNING *`
return db.one(sql, [token, userID])
}
@ -149,20 +137,37 @@ function createUserRegistrationToken (username, role) {
}
function validateUserRegistrationToken (token) {
const sql = `DELETE FROM user_register_tokens WHERE token=$1
RETURNING username, role, now() < expire AS success`
const sql = `SELECT username, role, now() < expire AS success FROM user_register_tokens WHERE token=$1`
return db.one(sql, [token])
.then(res => ({ username: res.username, role: res.role, success: res.success }))
}
function register (token, username, password, role) {
return validateUserRegistrationToken(token).then(res => {
if (!res.success) throw new Error('Failed to verify registration token')
return bcrypt.hash(password, 12).then(hash => {
return db.tx(t => {
const q1 = t.none(`INSERT INTO users (id, username, password, role) VALUES ($1, $2, $3, $4)`, [uuid.v4(), username, hash, role])
const q2 = t.none(`DELETE FROM user_register_tokens WHERE token=$1`, [token])
return t.batch([q1, q2])
})
})
})
}
function changeUserRole (id, newRole) {
const sql = `UPDATE users SET role=$1 WHERE id=$2`
return db.none(sql, [newRole, id])
}
function toggleUserEnable (id) {
const sql = `UPDATE users SET enabled=not enabled WHERE id=$1`
function enableUser (id) {
const sql = `UPDATE users SET enabled=true WHERE id=$1`
return db.none(sql, [id])
}
function disableUser (id) {
const sql = `UPDATE users SET enabled=false WHERE id=$1`
return db.none(sql, [id])
}
@ -170,20 +175,20 @@ module.exports = {
get,
getByIds,
getUsers,
getByName,
getUserById,
getUserByUsername,
verifyAndUpdateUser,
createUser,
deleteUser,
findById,
updatePassword,
get2FASecret,
save2FASecret,
reset2FASecret,
validate2FAResetToken,
createReset2FAToken,
validatePasswordResetToken,
createResetPasswordToken,
createUserRegistrationToken,
validateUserRegistrationToken,
register,
changeUserRole,
toggleUserEnable
enableUser,
disableUser
}